Esc
Event Triggered Execution - T1546
(ATT&CK® Technique)
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1546["Event Triggered Execution"] --> |executes| Command["Command"]; class T1546 OffensiveTechniqueNode;
class Command ArtifactNode; click Command href "/dao/artifact/d3f:Command";
click T1546 href "/offensive-technique/attack/T1546/"; click Command href "/dao/artifact/d3f:Command"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabase["System Configuration Database"]; class T1546 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1546["Event Triggered Execution"] --> |produces| Process["Process"]; class T1546 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1546 href "/offensive-technique/attack/T1546/"; click Process href "/dao/artifact/d3f:Process"; T1546["Event Triggered Execution"] --> |creates| Shim["Shim"]; class T1546 OffensiveTechniqueNode;
class Shim ArtifactNode; click Shim href "/dao/artifact/d3f:Shim";
click T1546 href "/offensive-technique/attack/T1546/"; click Shim href "/dao/artifact/d3f:Shim"; T1546["Event Triggered Execution"] --> |invokes| CreateProcess["Create Process"]; class T1546 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1546 href "/offensive-technique/attack/T1546/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1546["Event Triggered Execution"] --> |modifies| EventLog["Event Log"]; class T1546 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1546 href "/offensive-technique/attack/T1546/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1546["Event Triggered Execution"] --> |modifies| ConfigurationResource["Configuration Resource"]; class T1546 OffensiveTechniqueNode;
class ConfigurationResource ArtifactNode; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource";
click T1546 href "/offensive-technique/attack/T1546/"; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; T1546["Event Triggered Execution"] --> |creates| ExecutableFile["Executable File"]; class T1546 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1546["Event Triggered Execution"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |loads| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1546 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1546 href "/offensive-technique/attack/T1546/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1546["Event Triggered Execution"] --> |may-create| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-create| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode;
class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-modify| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode;
class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1546 OffensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";
click T1546 href "/offensive-technique/attack/T1546/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; T1546["Event Triggered Execution"] --> |modifies| PowerShellProfileScript["PowerShell Profile Script"]; class T1546 OffensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript";
click T1546 href "/offensive-technique/attack/T1546/"; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript"; T1546["Event Triggered Execution"] --> |modifies| ShimDatabase["Shim Database"]; class T1546 OffensiveTechniqueNode;
class ShimDatabase ArtifactNode; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase";
click T1546 href "/offensive-technique/attack/T1546/"; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| May Deceive | T1546["Event Triggered Execution"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | PropertyListFile["Property List File"];
class DecoyFile DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | PowerShellProfileScript["PowerShell Profile Script"];
class DecoyFile DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | UserInitConfigurationFile["User Init Configuration File"];
class DecoyFile DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | PowerShellProfileScript["PowerShell Profile Script"];
class DynamicAnalysis DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | PowerShellProfileScript["PowerShell Profile Script"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableScript["Executable Script"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PowerShellProfileScript["PowerShell Profile Script"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PropertyListFile["Property List File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
ProcessSuspension["Process Suspension"] -.->
| May Evict | T1546["Event Triggered Execution"] ;
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| May Evict | T1546["Event Triggered Execution"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; FileRemoval["File Removal"] -->
| deletes | ExecutableScript["Executable Script"];
FileRemoval["File Removal"] -.->
| May Evict | T1546["Event Triggered Execution"] ;
class FileRemoval DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] -->
| deletes | UserInitConfigurationFile["User Init Configuration File"];
class FileRemoval DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] -->
| deletes | ExecutableBinary["Executable Binary"];
class FileRemoval DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] -->
| deletes | PropertyListFile["Property List File"];
class FileRemoval DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] -->
| deletes | PowerShellProfileScript["PowerShell Profile Script"];
class FileRemoval DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] -->
| deletes | SharedLibraryFile["Shared Library File"];
class FileRemoval DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval"; FileRemoval["File Removal"] -->
| deletes | ExecutableFile["Executable File"];
class FileRemoval DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
FileEncryption["File Encryption"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | PropertyListFile["Property List File"];
class FileEncryption DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | UserInitConfigurationFile["User Init Configuration File"];
class FileEncryption DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
LocalFilePermissions["Local File Permissions"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitConfigurationFile["User Init Configuration File"];
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
| encrypts | PowerShellProfileScript["PowerShell Profile Script"];
class FileEncryption DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PropertyListFile["Property List File"];
class LocalFilePermissions DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PowerShellProfileScript["PowerShell Profile Script"];
class LocalFilePermissions DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; SoftwareUpdate["Software Update"] -->
| updates | Shim["Shim"];
SoftwareUpdate["Software Update"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class Shim ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | PowerShellProfileScript["PowerShell Profile Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] -->
| restricts | CreateProcess["Create Process"];
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | PowerShellProfileScript["PowerShell Profile Script"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| restricts | CreateProcess["Create Process"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| May Restore | T1546["Event Triggered Execution"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
RestoreFile["Restore File"] -.->
| May Restore | T1546["Event Triggered Execution"] ;
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | ConfigurationResource["Configuration Resource"];
class RestoreConfiguration DefensiveTechniqueNode;
class ConfigurationResource ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
| restores | ExecutableBinary["Executable Binary"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableScript["Executable Script"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | ShimDatabase["Shim Database"];
class RestoreConfiguration DefensiveTechniqueNode;
class ShimDatabase ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
| restores | PropertyListFile["Property List File"];
class RestoreFile DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | UserInitConfigurationFile["User Init Configuration File"];
class RestoreFile DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | PowerShellProfileScript["PowerShell Profile Script"];
class RestoreFile DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| May Restore | T1546["Event Triggered Execution"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreSoftware["Restore Software"] -->
| restores | Shim["Shim"];
RestoreSoftware["Restore Software"] -.->
| May Restore | T1546["Event Triggered Execution"] ;
class RestoreSoftware DefensiveTechniqueNode;
class Shim ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileAnalysis["File Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | PropertyListFile["Property List File"];
class FileAnalysis DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
class FileAnalysis DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | PowerShellProfileScript["PowerShell Profile Script"];
class FileAnalysis DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class UserSessionInitConfigAnalysis DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis"; MandatoryAccessControl["Mandatory Access Control"] -->
| restricts | CreateProcess["Create Process"];
MandatoryAccessControl["Mandatory Access Control"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class MandatoryAccessControl DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; MandatoryAccessControl["Mandatory Access Control"] -->
| isolates | Process["Process"];
class MandatoryAccessControl DefensiveTechniqueNode;
class Process ArtifactNode;
click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";